Jamf Nation Community

http://support.apple.com/kb/HT4332

Also found this however I don't want a password prompt. I want to be able to either declare the user and pass or have casper authenticate as it is pushed through login script.

On Oct 19, 2011, at 11:21 AM, Thomas Larkin wrote:

Yes, but are AD users identified by a certain attribute in directory services? Like could I do something like this?

dscl . list /Users ADgroupMembership

Or something of the like to generate a list of users that are actually AD? Sorry, I don't have an AD set up here, but scripting it would be easy as long as I know the proper way to check AD membership from the command line.

-Tom

OK with out having AD to test this....this is what I would try:

#!/bin/bash

# promote AD user to local admin group

UserList=$(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 { print $1 }')

for u in ${UserList} ; do

/usr/bin/dscl . read /Users/${u} AuthenticationAuthority | /usr/bin/grep "Active Directory"

if [[ $? -eq 0 ]]

then /usr/bin/dscl . append /Groups/admin GroupMemberhip ${u}

else /bin/echo "${u} is not an AD member..."

fi done exit 0

Please test this


No luck on that one

Do you want to make all AD users admin, or only people in the AD admin group?

Can you give me an example of how dscl reads AD group membership, since I don't run AD?

-Tom

Just the AD users. What I would do is make a smart group based on who is an AD Admin if thats possible.

Yes, but are AD users identified by a certain attribute in directory services? Like could I do something like this?

dscl . list /Users ADgroupMembership

Or something of the like to generate a list of users that are actually AD? Sorry, I don't have an AD set up here, but scripting it would be easy as long as I know the proper way to check AD membership from the command line.

-Tom

try again with "GroupMemberhip" changed to "GroupMembership."

… Nate saves the day!

Let me ask you smart people one more thing…

How would one revoke this?

derp...

Sorry I wrote that from scratch....please always check for typos. :-)

-Tom

and never cut, paste, and run code without being sure of what it does…

run the same script but modify the dscl append line with this

dscl . delete /Groups/admin GroupMembership ${u}

be careful and test this before putting it in production. This is
maybe where dseditgroup may be better since a typo here can delete a
whole group. I don't use dseditgroup all that much but perhaps if
deleting group membership it may be the better path since if you mess up
my previous code it can possibly do more damage to the system.

something like:

dseditgroup -o edit -q /Local/Default -d -a username -t user -admin

Not sure if that syntax is any good

Awesome.

I am writing an extension attribute to enable and revoke this. Once its all vetted out ill share it for anyone interested.

That's working for you, right matt?
I'm getting:
<main> attribute status: eDSPermissionError
<dscl_cmd> DS Error: -14120 (eDSPermissionError)

nick
--
Nick Kalister
Desktop Engineering
Hitachi Data Systems
Office: 408.970.4316

750 Central Expressway
Building 32 : M/S 3240
Santa Clara, CA 95050

Another way if doing it is;
Add your users to AD group then use default command to populate AD Domain admins.
There is a script in resources kit that uses the Default command to do this.

Cem

Sent from my iPhone

On 20 Oct 2011, at 07:55 PM, "Matthew Lee" <Matt.Lee at fox.com<mailto:Matt.Lee at fox.com>> wrote:

Login Script correct?

On Oct 20, 2011, at 11:53 AM, Thomas Larkin wrote:

taking a note from Cem I whipped this up, please test and post on the script repository if it works

#!/bin/bash

# add user to the local admin group if their account is an AD account
# run as a login hook via casper, $3 will retrun the current user

# see if the user has Active Directory present as their authentication authority

/usr/bin/dscl . read /Users/$3 AuthenticationAuthority | /usr/bin/grep "Active Directory"

# now check results of command and apply group membership accordingly

if [[ $? == 0 ]] ; do

then /usr/sbin/dseditgroup -o edit -a $3 -t user admin else /bin/echo "$3 is not an AD user..."

fi
done

# now check group membership of user and notify them of any changes

if [[ /usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3 == 1 ]]

then /usr/sbin/jamf displayMessage -message "We have detected that your user account is a part of Active Directory and you have been added to the local admin group"

fi

exit 0

I'm not sure what you mean by that.

We already use the Apple Binding tool to tell us which AD groups are for admin users the issue is once you unplug from the network they become non-admins.

On Oct 20, 2011, at 12:32 PM, Baykara, Cem wrote:

Another way if doing it is;
Add your users to AD group then use default command to populate AD Domain admins.
There is a script in resources kit that uses the Default command to do this.

Cem

Sent from my iPhone

On 20 Oct 2011, at 07:55 PM, "Matthew Lee" <Matt.Lee at fox.com<mailto:Matt.Lee at fox.com>> wrote:

Login Script correct?

On Oct 20, 2011, at 11:53 AM, Thomas Larkin wrote:

taking a note from Cem I whipped this up, please test and post on the script repository if it works

#!/bin/bash

# add user to the local admin group if their account is an AD account
# run as a login hook via casper, $3 will retrun the current user

# see if the user has Active Directory present as their authentication authority

/usr/bin/dscl . read /Users/$3 AuthenticationAuthority | /usr/bin/grep "Active Directory"

# now check results of command and apply group membership accordingly

if [[ $? == 0 ]] ; do

then /usr/sbin/dseditgroup -o edit -a $3 -t user admin else /bin/echo "$3 is not an AD user..."

fi
done

# now check group membership of user and notify them of any changes

if [[ /usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3 == 1 ]]

then /usr/sbin/jamf displayMessage -message "We have detected that your user account is a part of Active Directory and you have been added to the local admin group"

fi

exit 0

Sometimes I wish I had AD here to test this stuff...but then I would be administering Windows servers....ewwwww

:-)

-Tom

Apologies, you are right. They won't be admin offline.

I

Sent from my iPhone

On 20 Oct 2011, at 08:33 PM, "Matthew Lee" <Matt.Lee at fox.com<mailto:Matt.Lee at fox.com>> wrote:

I'm not sure what you mean by that.

We already use the Apple Binding tool to tell us which AD groups are for admin users the issue is once you unplug from the network they become non-admins.

On Oct 20, 2011, at 12:32 PM, Baykara, Cem wrote:

Another way if doing it is;
Add your users to AD group then use default command to populate AD Domain admins.
There is a script in resources kit that uses the Default command to do this.

Cem

Sent from my iPhone

On 20 Oct 2011, at 07:55 PM, "Matthew Lee" <Matt.Lee at fox.com<mailto:Matt.Lee at fox.com>> wrote:

Login Script correct?

On Oct 20, 2011, at 11:53 AM, Thomas Larkin wrote:

taking a note from Cem I whipped this up, please test and post on the script repository if it works

#!/bin/bash

# add user to the local admin group if their account is an AD account
# run as a login hook via casper, $3 will retrun the current user

# see if the user has Active Directory present as their authentication authority

/usr/bin/dscl . read /Users/$3 AuthenticationAuthority | /usr/bin/grep "Active Directory"

# now check results of command and apply group membership accordingly

if [[ $? == 0 ]] ; do

then /usr/sbin/dseditgroup -o edit -a $3 -t user admin else /bin/echo "$3 is not an AD user..."

fi
done

# now check group membership of user and notify them of any changes

if [[ /usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3 == 1 ]]

then /usr/sbin/jamf displayMessage -message "We have detected that your user account is a part of Active Directory and you have been added to the local admin group"

fi

exit 0

Hi Mathew,

Dscl broke the admin group for me in couple of occasion and we have turned
up re-imaging the Macs. I suggest using dseditgroup instead.

I have attached couple scripts that you can use in with Casper Remote or
just use the one liner at the bottom of the scripts with policy.

This was the explanation (see below - its from mailing list archive):

What is in reality the best way to automate this?

I would like to be able to add a user to my AD group, have them login, get AD to grant them admin rights, and then have some sort of script run to know that they are in that AD group and move them into the correct local admin group. Same would be if the AD rights were revoked to also revoke local admin.

I find it rather tough that Apple didn't include this option.

Well if you run this:

dscl . read /Users/<username> AuthenticationAuthority | grep "Active Directory"

it will either return 0 if Active Directory is present, or 1 if the command errors out. So you can find out the results of the previous command ran by simply running a built in bash function of $? So, hence why in my script I run the command and then check to see what the output was

if [ $? -eq 0 ] # if the command was successful then a bunch of commands to add user to admin group else commands to state user is not an AD user fi

I have never had dscl hose any system and have used it a lot in my scripts. However, if you run a command like this:

dscl . delete /Groups/admin GroupMembership username

and some how mess it up to run say this:

dscl . delete /Groups/admin

that isn't really good to say the least. dseditgroup is probably a better method of adding and removing users to group. It is a lot safer to use. I mainly use dscl because that is what I learned first and I am usually also doing other things with it as well.

-Tom

What is in reality the best way to automate this?

I would like to be able to add a user to my AD group, have them login, get AD to grant them admin rights, and then have some sort of script run to know that they are in that AD group and move them into the correct local admin group. Same would be if the AD rights were revoked to also revo

Thats right along the lines of my thinking. I am going to try and run with this. dscl has been fine for us as I use it on a few extension attributes.

taking a note from Cem I whipped this up, please test and post on the script repository if it works

#!/bin/bash

# add user to the local admin group if their account is an AD account # run as a login hook via casper, $3 will retrun the current user

# see if the user has Active Directory present as their authentication authority

/usr/bin/dscl . read /Users/$3 AuthenticationAuthority | /usr/bin/grep "Active Directory"

# now check results of command and apply group membership accordingly

if [[ $? == 0 ]] ; do

then /usr/sbin/dseditgroup -o edit -a $3 -t user admin else /bin/echo "$3 is not an AD user..."

fi done

# now check group membership of user and notify them of any changes

if [[ /usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3 == 1 ]]

then /usr/sbin/jamf displayMessage -message "We have detected that your user account is a part of Active Directory and you have been added to the local admin group"

fi

exit 0

Login Script correct?

On Oct 20, 2011, at 11:53 AM, Thomas Larkin wrote:

taking a note from Cem I whipped this up, please test and post on the script repository if it works

#!/bin/bash

# add user to the local admin group if their account is an AD account
# run as a login hook via casper, $3 will retrun the current user

# see if the user has Active Directory present as their authentication authority

/usr/bin/dscl . read /Users/$3 AuthenticationAuthority | /usr/bin/grep "Active Directory"

# now check results of command and apply group membership accordingly

if [[ $? == 0 ]] ; do

then /usr/sbin/dseditgroup -o edit -a $3 -t user admin else /bin/echo "$3 is not an AD user..."

fi
done

# now check group membership of user and notify them of any changes

if [[ /usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3 == 1 ]]

then /usr/sbin/jamf displayMessage -message "We have detected that your user account is a part of Active Directory and you have been added to the local admin group"

fi

exit 0

Hi Tom,

I tried the last script you posted here to move my AD admin user into the local admin group and an error was returned. Could you help? Or is there something out here that is working?

Thanks,
Chuck

/usr/sbin/jamf is version 8.6 Executing Policy PromoteAD... Creating directory structure for /Library/Application Support/JAMF/Downloads/ Downloading http://xxxx/CasperShare/Scripts/PromoteAD.bash... Running script PromoteAD.bash... Script exit code: 2 Script result: ;LocalCachedUser;/Active Directory/SJN/xxx.xxxxx.xxx:ctaylor:1E9B8FB6-4032-4F9E-B839-6CEEB0629185 /private/tmp/PromoteAD.bash: line 12: syntax error near unexpected token `do' /private/tmp/PromoteAD.bash: line 12: `if [[ $? == 0 ]] ; do '